Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

access-list question

I'm working on building an access list for the inside interface of my ASA and while looking at a few packet captures of traffic crossing that interface I'm starting to question my understanding of acls. I'm pretty sure in previous configurations of other firewalls, ASAs included, I did not have to account for return traffic initiated by hosts on the Internet. For example, say there is a web server sitting on the inside interface, and the access list on the outside interface allowed for traffic from any host to www of the host on the inside. The host's source port would be some random high order port, in which case the www server on the inside would be responding on that high order port. I don't need to allow for return traffic to those high order ports if I put an access list on the inside interface in the inbound direction do I? Won't the outside interface acl and stateful packet filtering account for that return traffic crossing the inside interface without getting blocked?

thank you,

Bill

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: access-list question

Bill

You are correct in your assumptions. The access-list on the inside interface should not have an effect on stateful return traffic. I say stateful because some traffic you need to allow both ways eg. GRE traffic but normal TCP traffic such as for a webserver is stateful.

This would only be an issue for you if these were normal access-lists on router interfaces - then it would matter.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: access-list question

Bill

You are correct in your assumptions. The access-list on the inside interface should not have an effect on stateful return traffic. I say stateful because some traffic you need to allow both ways eg. GRE traffic but normal TCP traffic such as for a webserver is stateful.

This would only be an issue for you if these were normal access-lists on router interfaces - then it would matter.

Jon

New Member

Re: access-list question

thank you

108
Views
0
Helpful
2
Replies